allow different TLS certificates for each binding

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>

httpd/httpd.go

@@ -397,6 +397,10 @@ type Binding struct {
 	EnableWebClient bool `json:"enable_web_client" mapstructure:"enable_web_client"`
 	// you also need to provide a certificate for enabling HTTPS
 	EnableHTTPS bool `json:"enable_https" mapstructure:"enable_https"`
+	// Certificate and matching private key for this specific binding, if empty the global
+	// ones will be used, if any
+	CertificateFile    string `json:"certificate_file" mapstructure:"certificate_file"`
+	CertificateKeyFile string `json:"certificate_key_file" mapstructure:"certificate_key_file"`
 	// Defines the minimum TLS version. 13 means TLS 1.3, default is TLS 1.2
 	MinTLSVersion int `json:"min_tls_version" mapstructure:"min_tls_version"`
 	// set to 1 to require client certificate authentication in addition to basic auth.
@@ -563,8 +567,8 @@ type Conf struct {
 	// Defines a base URL for the web admin and client interfaces. If empty web admin and client resources will
 	// be available at the root ("/") URI. If defined it must be an absolute URI or it will be ignored.
 	WebRoot string `json:"web_root" mapstructure:"web_root"`
-	// If files containing a certificate and matching private key for the server are provided the server will expect
-	// HTTPS connections.
+	// If files containing a certificate and matching private key for the server are provided you can enable
+	// HTTPS connections for the configured bindings.
 	// Certificate and key files can be reloaded on demand sending a "SIGHUP" signal on Unix based systems and a
 	// "paramchange" request to the running service on Windows.
 	CertificateFile    string `json:"certificate_file" mapstructure:"certificate_file"`
@@ -651,6 +655,32 @@ func (c *Conf) getRedacted() Conf {
 	return conf
 }
 
+func (c *Conf) getKeyPairs(configDir string) []common.TLSKeyPair {
+	var keyPairs []common.TLSKeyPair
+
+	for _, binding := range c.Bindings {
+		certificateFile := getConfigPath(binding.CertificateFile, configDir)
+		certificateKeyFile := getConfigPath(binding.CertificateKeyFile, configDir)
+		if certificateFile != "" && certificateKeyFile != "" {
+			keyPairs = append(keyPairs, common.TLSKeyPair{
+				Cert: certificateFile,
+				Key:  certificateKeyFile,
+				ID:   binding.GetAddress(),
+			})
+		}
+	}
+	certificateFile := getConfigPath(c.CertificateFile, configDir)
+	certificateKeyFile := getConfigPath(c.CertificateKeyFile, configDir)
+	if certificateFile != "" && certificateKeyFile != "" {
+		keyPairs = append(keyPairs, common.TLSKeyPair{
+			Cert: certificateFile,
+			Key:  certificateKeyFile,
+			ID:   common.DefaultTLSKeyPaidID,
+		})
+	}
+	return keyPairs
+}
+
 // Initialize configures and starts the HTTP server
 func (c *Conf) Initialize(configDir string, isShared int) error {
 	logger.Info(logSender, "", "initializing HTTP server with config %+v", c.getRedacted())
@@ -662,8 +692,6 @@ func (c *Conf) Initialize(configDir string, isShared int) error {
 	if err := c.checkRequiredDirs(staticFilesPath, templatesPath); err != nil {
 		return err
 	}
-	certificateFile := getConfigPath(c.CertificateFile, configDir)
-	certificateKeyFile := getConfigPath(c.CertificateKeyFile, configDir)
 	if c.isWebAdminEnabled() {
 		updateWebAdminURLs(c.WebRoot)
 		loadAdminTemplates(templatesPath)
@@ -676,8 +704,9 @@ func (c *Conf) Initialize(configDir string, isShared int) error {
 	} else {
 		logger.Info(logSender, "", "built-in web client interface disabled")
 	}
-	if certificateFile != "" && certificateKeyFile != "" {
-		mgr, err := common.NewCertManager(certificateFile, certificateKeyFile, configDir, logSender)
+	keyPairs := c.getKeyPairs(configDir)
+	if len(keyPairs) > 0 {
+		mgr, err := common.NewCertManager(keyPairs, configDir, logSender)
 		if err != nil {
 			return err
 		}